Vditor 3.10.3 allows XSS via an attribute of an A element.
A
NOTE: the vendor indicates that a user is supposed to mitigate this via sanitize=true.
sanitize=true